TLS 1.3 with PSK using Network framework

Question

Created Aug ’21

Replies 1

Boosts 0

Views 1.3k

Participants 2

We are trying to establish PSK connection with TLS 1.3 for iOS platforms. TLS 1.2 worked fine by using below api's from Network framework.

For that we used API like sec_protocol_options_add_pre_shared_key and sec_protocol_options_set_pre_shared_key_selection_block. Whereas same APIs do not connect for TLS 1.3 PSK with server.

We are setting tls min and max version through sec_protocol_options_set_min_tls_protocol_version(securityProtocolOptions, .TLSv13) sec_protocol_options_set_max_tls_protocol_version(securityProtocolOptions, .TLSv13)

This results in OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED and also the cipher suites we set through sec_protocol_options_append_tls_ciphersuite(tlsOptions.securityProtocolOptions,.CHACHA20_POLY1305_SHA256)does not get reflected in Wireshark too.

And also if we change min_tls_protocol_version to .TLSv12, tls1.2 connection happens but the cipher suites we set are not at all added in the list of cipher suites in Wireshark.

Any suggestions to get PSK connection successfully with TLS 1.3?

Boost

Answer 1

Systems Engineer OP

Apple

Aug ’21

Any suggestions to get PSK connection successfully with TLS 1.3?

Last I knew, using pre-shared keys for TLS was not supported on iOS or macOS for TLS 1.3, only TLS 1.2 (r. 53459020). This would be an Enhancement Request for support TLS 1.3 with PSK. Please respond back with the Feedback ID.

You can use certificate based TLS with a digital identity and that will support TLS 1.3.

Regarding:

and also the cipher suites we set through sec_protocol_options_append_tls_ciphersuite(tlsOptions.securityProtocolOptions,. CHACHA20_POLY1305_SHA256)does not get reflected in Wireshark too.

Yes, I suspect that since TLS 1.3 is not supported in the PSK context that your cipher suite is trying to default to a support cipher instead.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0